CISA adds UnRAR and Windows flaws to Known Exploited Vulnerabilities Catalog

US Critical Infrastructure Security Agency (CISA) adds vulnerabilities in the UnRAR utility to its Known Exploited Vulnerabilities Catalog.

The Cybersecurity & Infrastructure Security Agency (CISA) has added a recently disclosed security flaw, tracked as CVE-2022-30333 (CVSS score: 7.5), in the UnRAR utility to its Known Exploited Vulnerabilities Catalog.

The CVE-2022-30333 flaw is a path traversal vulnerability that resides in the Unix versions of UnRAR, the issue can be triggered by tricking victims into extracting a maliciously crafted RAR archive.

The vulnerability was reported in late June by cybersecurity researcher Simon Scannell from SonarSource.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

“RARLAB UnRAR on Linux and UNIX contains a directory traversal vulnerability, allowing an attacker to write to files during an extract (unpack) operation.” reads the announcement published by CISA.

CISA also added the recently patched CVE-2022-34713 remote code execution vulnerability flaw to the catalog. The vulnerability resides in the Microsoft Windows Support Diagnostic Tool (MSDT), the flaw has been exploited by threat actors in the wild. An attacker can trigger the flaw by tricking the victims into opening specially crafted files.

Microsoft states that the issue is a variant of the Dogwalk vulnerability that was disclosed in June.

“This bug also allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word. There is an element of social engineering to this as a threat actor would need to convince a user to click a link or open a document.” reads the description provided by ZDI. “It’s not clear if this vulnerability is the result of a failed patch or something new.”

CISA orders federal agencies to fix both issues by August 30, 2022.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, UnRAR utility)

[adrotate banner=”5″]

[adrotate banner=”13″]